Hi Shane, Thanks for your detailed reply, the point I am trying to highlight is the changes in TCP for DNS which is "TCP out of order packet delivery, i.e. the OOOP".
On Thu, Dec 1, 2016 at 7:01 PM, Shane Kerr <[email protected]> wrote: > Tariq, > > At 2016-12-01 12:50:16 +0500 > Tariq Saraj <[email protected]> wrote: > > > My question is that, at one side "Specification for DNS over Transport > > Layer Security (TLS) i.e. RFC7858" is a proposed standard now. > > Whereas, on the other side in the "draft-ietf-dprive-dnsodtls-13", > > The motivations for proposing DNS-over-DTLS are that > > > > o TCP suffers from network head-of-line blocking, where the loss of > > a packet causes all other TCP segments to not be delivered to the > > application until the lost packet is re-transmitted. DNS-over- > > DTLS, because it uses UDP, does not suffer from network head-of- > > line blocking. > > In the very next point of this draft it is also mentioned that " However, > > with TCP Fast Open [RFC7413], the implementation can achieve the same RTT > > efficiency as DTLS." > > In addition to that, in the recent IETF97 meeting regarding the DNS > privacy > > they have presented a technique of OOOP for TCP. > > So, why the community still need DTLS for DNS? > > TCP Fast Open does not work for the first connection between hosts. > This makes it effective in cases where you expect repeated connections > (such as in the stub to resolver case), but possibly less effective in > cases where you do not expect repeated connections, or where you > expect connections to happen a long time apart. > > Further, the specific drawback is about the case of lost packets. Since > TCP (and thus TLS) is a stream-oriented protocol, it cannot deliver > data until all packets in the sequence are available. So if packet #2 is > lost, packets #3, #4, and all later packets cannot be delivered to the > application until packet #2 is re-sent. DTLS, since it is a datagram > protocol, does not have this limitation. > > To be honest, there has not been a strong push for DNS over DTLS. Even > with DNS over DTLS, we need DNS over TLS as a fallback in the case of > truncation. So adding DNS over DTLS is always an extra cost. It might > be that DNS over DTLS is worth the extra code and complexity, but I > think it is safe to say that we do not have enough operational > experience yet to know for sure. > > Cheers, > > -- > Shane > -- Regards Tariq Saraj Riphah Institute of Systems Engineering, Islamabad
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
